SEC v. SolarWinds: Court Rejects SEC Authority Over Cybersecurity Controls and Most Alleged Disclosure Violations
The U.S. District Court for the Southern District of New York dismissed the majority of claims that the Security and Exchange Commission ("SEC") asserted against SolarWinds, including claims that the company's alleged cybersecurity deficiencies amounted to a failure of internal accounting controls and most disclosure-based claims, including those based on post-incident disclosures.
On July 18, 2024, the U.S. District Court for the Southern District of New York dismissed the majority of the SEC's claims in its high-profile litigation against SolarWinds and its chief information security officer, Timothy Brown.
The SEC alleged that defendants grossly overstated the strength of SolarWinds's cybersecurity defenses before a major breach in 2020 and then dissembled about the breach. The SEC alleged that SolarWinds's cybersecurity amounted to a failure of "internal accounting controls" when SolarWinds's cybersecurity measures failed to limit access to its "most vital assets," including source code, databases, and products. The allegations against Brown stemmed from his responsibility for the technical content and accuracy of risk disclosures, as well as Brown's allegedly false sub-certifications and actions disseminating misleading information.
The court dismissed the majority of the disclosure-based claims, including all post-incident disclosure claims. The court observed that SolarWinds's disclosures about the breach painted a dire picture of the situation based on the information available at the time. The court only sustained pre-incident disclosure claims related to the security statement on the company's website and found the SEC viably pled that the security statement contained misrepresentations that related to SolarWinds's access controls, password protection policies, and cybersecurity practices overall. In rejecting other pre-incident disclosure claims, the court rebuffed the SEC's challenge to SolarWinds's cybersecurity risk factor disclosures, concluding that they described critical risks and implications that were specific to SolarWinds's business.
The court rejected as "untenable" the SEC's novel contention that the term "internal accounting controls," as used in Section 13(b)(2)(B) of the Exchange Act, includes cybersecurity controls. The court found "internal accounting controls" only applies to "financial accounting controls," and there was no evidence that Congress intended this term extend to cybersecurity controls. This decision undercuts the SEC's efforts to expand its regulation of cybersecurity through this new theory, which it also asserted in its recent enforcement action against R.R. Donnelley & Sons Company, which was resolved by settlement.
Whether the SEC will scale back its cybersecurity enforcement in light of this decision is yet to be determined. In light of the rules adopted earlier this year by the SEC, the adequacy of cybersecurity disclosures will continue to be a focal point for the staff. To mitigate risk, issuers should confirm that adequate procedures are in place so that those making disclosure decisions do so based on accurate and up-to-date information about the company's cybersecurity posture.